Today we have another #DEFCONTraining Bahrain Spotlight - “A Complete Practical Approach to Malware Analysis & Threat Hunting with Memory Forensics, Endpoint Telemetry, & AI-Driven Hunting” with Monnappa K A and Sajan Shetty on November 3-4.

This 2-day intensive, hands-on training teaches the concepts, tools, and techniques required to analyze, investigate, and hunt malware by combining four powerful approaches: malware analysis, reverse engineering, memory forensics, and endpoint telemetry-based threat hunting. The course begins with the foundations of malware analysis, Windows internals, and memory forensics, before moving into advanced concepts of malware investigation and hunting adversary techniques.

What makes this training unique and future-ready is the introduction to the concept of AI-powered autonomous hunting with the Garuda Threat Hunting Framework.

Take a deeper look and register for this course today: https://training.defcon.org/collections/arab-cybersecurity-2025/products/monnappa-k-a-a-complete-practical-approach-to-malware-analysis-threat-hunting-using-memory-forensics-dctlv2025-copy

Explore the full list of offerings in Bahrain at https://training.defcon.org/collections/arab-cybersecurity-2025

#defcon #cyber #training #defconbahrain #AICS2025 #Bahrain #UAE #SaudiArabia #cybertraining #infosec #cybersecurity #cyberdefense #malwareanalysis #threathunting #memoryforensics #AI #endpointtelemetry

Released v1.17.0 of The Pdfalyzer, the surprisingly popular tool for analyzing (possibly malicious) PDFs I created after my own unpleasant experience. Now ships with two command line tools for extracting stuff from PDF files:

1. extract_text_from_pdfs() - brute force extract all text from a PDF, including doing an #OCR extraction of any embedded images

2. extract_pdf_pages() - rip a page range from a #PDF and write them to a new one

* Github: https://github.com/michelcrypt4d4mus/pdfalyzer
* Pypi: https://pypi.org/project/pdfalyzer/
* Homebrew: https://formulae.brew.sh/formula/pdfalyzer
* Fun thread someone made last week using Pdfalyzer to explain some of how byzantine the PDF format is: https://x.com/VikParuchuri/status/1965773078585344215

Ongoing malvertising campaign targets European IT workers with fake GitHub Desktop installers https://www.helpnetsecurity.com/2025/09/09/github-desktop-malvertising-it-workers/ #ArcticWolfNetworks #malwareanalysis #malvertising #enterprise #Don'tmiss #datatheft #Hotstuff #malware #News #SMBs

Used some #AI to jury rig a basic API documentation site for The Yaralyzer, my unexpectedly popular tool for visualizing and forcibly decoding #YARA matches in binary data.

* GitHub: https://github.com/michelcrypt4d4mus/yaralyzer
* PyPi: https://pypi.org/project/yaralyzer/
* API documentation: https://michelcrypt4d4mus.github.io/yaralyzer/api/
* Can also be installed (indirectly) via homebrew if you install The #Pdfalyzer (different tool)

New Rust reversing article! Let's take a look at a simple loader for some infostealer malware, distributed via a "can you try my game" scam on Discord. But it's Rust, so is it really simple? This malware sample has a few twists!

https://cxiao.net/posts/2025-08-17-not-so-simple-rust-loader/

Along the way, I'll go into detail about how threads, dynamic dispatch, and types work in Rust binaries. It may be helpful for your next Rust reversing adventure!

Thanks very much to @0xabad1dea and @demize for providing the sample!

Edit: The infostealer delivered here is actually a known one, called Myth Stealer! You can read more about the stealer payload in Trellix's article, Demystifying Myth Stealer: A Rust Based InfoStealer. Thank you to one of the article authors for reaching out to me about it!

Has anyone in malware played with thorium yet? There was a time when I would have been excited to see a tool come out of CISA but that time has passed.

https://securityaffairs.com/180649/cyber-crime/cisa-released-thorium-platform-to-support-malware-and-forensic-analysis.html

CISA has open-sourced Thorium, a powerful platform for malware & forensic analysis! Built with Sandia Labs, Thorium automates workflows, supports 10M+ files/hr, & integrates tools easily to boost cyber defense across sectors. Get it now: https://www.bleepingcomputer.com/news/security/cisa-open-sources-thorium-platform-for-malware-forensic-analysis/ #Cybersecurity #MalwareAnalysis #OpenSource #CISA #newz

Just released version 1.16.8 of The Pdfalyzer with a bunch of new and updated #YARA rules to scan #PDF files for malicious content. Links in the quoted toot below.

https://universeodon.com/@cryptadamist/114768170683991686

just released version 1.0.1 of The Yaralyzer, my unexpectedly popular tool for visualizing and forcibly decoding #YARA matches in binary data. Fixes a small bug when trying to choose a byte offset to force a UTF-16 or UTF-32 decoding of matched bytes.

someone set up Yaralyzer as a #Kali package; not sure if that's made it into a release yet but if not the links are below.

https://universeodon.com/@cryptadamist/113642071681749608

Built a forensic YARA corpus from 90+ legacy remote access builder tools.

Each sample was sandbox-generated (QEMU), statically analyzed, and fingerprinted with variant-specific YARA rules.
Entropy ranges, import tables, PE metadata, and DIE/CAPA outputs are documented per sample.

This is not generic detection — it's reverse engineering + precision.

https://github.com/GokbakarE/RuleSetRAT
#infosec #reverseengineering #malwareanalysis #yara #DFIR #opensource

Analysis of #Koske #miner.

It is an AI-generated #Linux #malware which was hidden in images with pandas. It supports wide variety of coinminers for various cryptocurrencies and for GPU and different CPU architectures. Its another component, #rootkit #hideproc, tries to hide the Koske miner from file listings and processes.

https://malwarelab.eu/posts/koske-panda-ai/

Video from #anyrun analysis:

https://www.youtube.com/watch?v=1OSPp996XQ4

Great analysis of the malware distributed with the esling-config-prettier NPM package compromise on Friday: https://c-b.io/2025-07-20+-+Install+Linters%2C+Get+Malware+-+DevSecOps+Speedrun+Edition

By c-b.io on Bluesky / cyb3rjerry on Twitter :D

Just published version 1.16.6 of The Pdfalyzer, the surprisingly popular tool for analyzing (possibly malicious) PDFs I created after my own unpleasant encounter with such a creature. Includes a (kind of janky) #YARA rule for #GIFTEDCROOK infostealer PDFs.

* Github: https://github.com/michelcrypt4d4mus/pdfalyzer
* Pypi: https://pypi.org/project/pdfalyzer/
* Homebrew: https://formulae.brew.sh/formula/pdfalyzer

0-day vibes from 2017? Yup, it’s still happening.

A malicious Excel file using CVE-2017-0199 is out here in 2025 dropping FormBook like it's a fresh mixtape.

The attack chain?

• Macro-free Excel
• Weaponized with remote .hta
• Payload: Info-stealer FormBook

Despite being 7+ years old, this vuln still slaps in phishing campaigns — because patching is apparently a myth.

Full technical breakdown by @FortiGuardLabs: https://www.fortinet.com/blog/threat-research/how-a-malicious-excel-file-cve-2017-0199-delivers-the-formbook-payload

TL;DR for blue teamers:

• Watch your egress traffic
• Harden Office apps
• Monitor LOLBins (Living Off the Land Binaries)
• Block outbound to shady IPs faster than your memes go viral

Don’t let your org get dunked on by a 2017 CVE in 2025. That’s not a good look.

Cybercrime group FIN6 (aka Skeleton Spider) is leveraging trusted cloud services like AWS to deliver malware through fake job applications.

Our latest analysis breaks down:
How attackers use LinkedIn & Indeed to build trust
The use of resume-themed phishing lures
Cloud-hosted infrastructure that evades detection
The delivery of the More_eggs backdoor via .LNK files
Key defense strategies for recruiters and security teams

This campaign is a masterclass in low-complexity, high-evasion phishing

Read the full breakdown: https://dti.domaintools.com/skeleton-spider-trusted-cloud-malware-delivery/?utm_source=Mastodon&utm_medium=Social&utm_campaign=Skeleton-Spider

Ever wonder how cybercriminals weaponize PDFs?

Check out Filipi Pires' #BSidesBoulder25 talk, "Structural Insights: PDF Analysis for Detecting and Defending Against Threats"! In his session, he’ll explore the structure of PDFs and how malicious payload can be hidden within them, provide guidance on identifying how Indicators of Attack (IOAs) found within them, and show you how to outsmart common obfuscation routines found in them. Come for the malware, stay for the live demos and defense tips! #CyberSecurity #PDFThreats #MalwareAnalysis #BSides #BSidesBoulder

Check out our full schedule at https://bsidesboulder.org/schedule/

Tickets are available for purchase for our 13 June event here: https://www.eventbrite.com/e/bsides-boulder-2025-registration-1290129274389

A new Windows-based Remote Access Trojan (RAT) has been exposed — and it’s unusually stealthy.

It corrupts critical DOS + PE headers, making it difficult to analyze or reconstruct.
It embeds inside dllhost.exe, communicates via encrypted C2, and runs multi-threaded client sessions.
Researchers at Fortinet had to replicate the compromised system’s environment to finally analyze it.

This attack highlights how adversaries are evolving to evade both detection and reverse engineering.
Organizations should ensure endpoint monitoring can catch process anomalies — not just file signatures.

#CyberSecurity #MalwareAnalysis #WindowsSecurity #ThreatIntel
https://thehackernews.com/2025/05/new-windows-rat-evades-detection-for.html

Hot off the presses!

DomainTools Investigations shares that a spoofed antivirus download page is delivering VenomRAT, StormKitty, and SilentTrinity—a powerful combo for credential theft, persistence, and long-term access.

We traced the infrastructure, payloads, and attacker tactics.

Full breakdown: https://dti.domaintools.com/venomrat/?utm_source=Mastodon&utm_medium=Social&utm_campaign=VenomRAT